The Impact of Cloud Computing on U.S. Food and Drug Administration (FDA)'s Regulation of Medical Products
Cloud computing involves the delivery of computing as a service rather than a product. In a cloud computing solution, shared resources, software, and information are provided much like a utility, over a network to computers and other devices. Cloud computing has been embraced by the medical industry, and is used as a vital technology in electronic medical record systems and telemedicine solutions, among other products.
The U.S. Food and Drug Administration (“FDA”), which regulates the vast majority of medical products sold in the U.S., generally applies its existing regulatory scheme when facing new technologies like cloud computing. This is typified by FDA’s approach to nanotechnology that was developed in the last decade.
Cloud computing presents several challenges to FDA’s application of its existing regulatory scheme. For one, FDA, as a regulatory agency, has responsibility over medical products shipped in interstate commerce (specifically drugs, medical devices, and biologics), but lacks authority over the services provided by healthcare practitioners (i.e. “the practice of medicine”). Cloud computing involves the delivery of computing as a service rather than as a product, which complicates the analysis of how a cloud computing solution would be regulated by FDA.
The second challenge for FDA is the increased complexity of cloud computing software solutions. Medical device software has traditionally been very conservative in that it is generally installed on only one platform, with the hardware and operating system parameters “locked down” to limit compatibility issues. Further, communication is generally limited to interactions between a device and the computer system. In a cloud computing system, one or more cloud client software programs communicate with the cloud server software, and all of these software programs may be deployed on various hardware and operating systems. In fact, the strength of the cloud model is this ability to interact with the cloud server through a broad array of hardware and operating system platforms.
The third challenge to FDA’s existing regulatory scheme is in security. Medical information is scrupulously protected by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), numerous state laws, and physician ethical standards. As with financial information, medical information has great value. In a cloud computing software solution, this highly valuable and private medical information is often transmitted wirelessly and through the Internet, exposing it to potential theft. Further, the diffuse nature of cloud computing solutions and the ability to consolidate medical information from thousands of individuals in a single location poses significant liability risk from the loss of a single laptop or USB drive.
FDA does not currently have any specific regulations applicable to cloud computing. Further, FDA’s regulations applicable to computerized systems (21 C.F.R. Part 11) is currently being enforced only in a very limited manner. Despite this, FDA’s existing regulatory scheme has been applied to products and regulated processes that incorporate cloud computing services. Recent guidance has addressed gaps in the existing regulatory scheme, including FDA’s draft guidance on mobile medical applications.
Given the complexity with using cloud computing services in FDA regulated medical products, it is critical to carefully consider the regulatory impact of incorporating such services. Sheppard Mullin has expertise in the legal and regulatory issues surrounding cloud based services, including when using cloud computing in FDA regulated products and activities. Sheppard Mullin’s FDA practice has experience providing companies with advice on cloud computing issues, including counseling medical device software manufacturers.